Researcher builds system to protect against malicious insiders

When an employee turns on his own company, the results - damaged networks, data theft and even work stoppage -- could be devastating. Virginia Tech's Daphne Yao hopes the algorithms she's working on can stop that kind of attack.

And the Army Research Office has awarded her $US150,000 to continue her research into finding new ways to detect anomalies caused by system compromises and malicious insiders.

"The challenge is to understand the intention of the user and what the user is trying to do," Yao said. "Most are doing legitimate work and they're working their own project and minding their own business. You need a detection system that can guess what the user is trying to do."

The crux of Yao's work is to figure out which employees are simply downloading sensitive files or logging onto the network in the middle of the night because they're trying to get their work done and which employees may be doing the same things because they're trying to sell proprietary information or crash the network.

According to a 2012 Symantec report, 60% of companies said they had experienced attacks on their systems to steal proprietary information. The most frequent perpetrators were current or former employees or partners in trusted relationships.

In 1996, for instance, a network administrator at Omega Engineering Inc. planted a software time bomb that eradicated all the programs that ran the company's manufacturing operations at its Bridgeport, N.J. plant.

The trusted IT administrator, Tim Lloyd, effectively stopped the manufacturing company from being able to manufacture, causing the company $12 million in damages and its footing in the high-tech instrument and measurement market. Eighty workers lost their jobs as a result.

The Army Research Office did not respond to a request for comment, but Dan Olds, an analyst with The Gabriel Consulting Group, said he's not surprised that the military is supporting research into detecting insider threats.

"The U.S. military is very concerned about security these days," added Olds. "The Bradley Manning leaks highlighted the massive damage that even a lowly Pfc can wreak if given access to a poorly secured IT infrastructure. The Snowden and Manning leaks have had a very severe impact on U.S. intelligence activities, disclosing not only the information gathered, but also showing the sources and methods used to get US intelligence data."

He also said insider-based attacks normally may not get as much media attention as most hacks, but can potentially cause much greater damage since the attacker at least knows where the keys to the castle are hidden. And if that attacker works in IT, he or she might even have the keys.

"Insider threats are many times the most devastating, as they are the least expected," said Patrick Moorhead, an analyst with Moor Insights & Strategy. "Companies spend most of their security time and money guarding against external threats.... So that sometimes leaves the inside exposed."

To combat this, Yao is combining big data, analytics and security to design algorithms that focus on linking human activities with network actions.

Typical computer systems monitor things like network traffic, file system events and email activities. They also focus on looking for specific warning signs, like someone uploading large amounts of data. The problem with that is that if someone knows what the warning signs are, they can easily adjust their actions -- uploading data in smaller increments, for instance -- to avoid detection.

Yao is taking a different approach; her algorithms are focused on learning what are normal activities and then detecting anything unusual.

"We build on a model of normal behaviors and then detect a deviation from normal behaviors," she explained. "If you see a user logging in and access a database or doing a file read or write in the middle of the night..., then you ask, 'Is this a legitimate sequence of actions or is this an anomaly?'"

She also said part of the idea behind her detection system is to corroborate the user's actions with what's happening on the network.

If, for instance, a military team is on a reconnaissance mission, then it makes sense that they would be accessing maps from a backend server and pulling various data off the network.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.